Active Directory Federation Services Overview

Updated: April 25, 2007

Applies To: Windows Server 2008, Windows Server 2008 R2

You can use the Active Directory® Federation Services (AD FS) server role in the Windows Server® 2008 and Windows Server 2008 R2 operating systems to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments.

In the following sections, you will learn more about AD FS, including an overview of the technology, and how to install and manage it.

What is AD FS?

AD FS is an identity access solution that provides browser-based clients (internal or external to your network) with seamless, "one prompt" access to one or more protected Internet-facing applications, even when the user accounts and applications are located in completely different networks or organizations.

When an application is in one network and user accounts are in another network, it is typical for users to encounter prompts for secondary credentials when they attempt to access the application. These secondary credentials represent the identity of the users in the realm where the application resides. The Web server that hosts the application usually requires these credentials so that it can make the most appropriate authorization decision.

AD FS makes secondary accounts and their credentials unnecessary by providing trust relationships that you can use to project a user's digital identity and access rights to trusted partners. In a federated environment, each organization continues to manage its own identities, but each organization can also securely project and accept identities from other organizations.

Furthermore, you can deploy federation servers in multiple organizations to facilitate business-to-business (B2B) transactions between trusted partner organizations. Federated B2B partnerships identify business partners as one of the following types of organization:

Resource organization: Organizations that own and manage resources that are accessible from the Internet can deploy AD FS federation servers and AD FS-enabled Web servers that manage access to protected resources for trusted partners. These trusted partners can include external third parties or other departments or subsidiaries in the same organization.

Account organization: Organizations that own and manage user accounts can deploy AD FS federation servers that authenticate local users and create security tokens that federation servers in the resource organization use later to make authorization decisions.

The process of authenticating to one network while accessing resources in another network—without the burden of repeated logon actions by users—is known as single sign-on (SSO). AD FS provides a Web-based, SSO solution that authenticates users to multiple Web applications over the life of a single browser session.

AD FS role services

The AD FS server role includes federation services, proxy services, and Web agent services that you configure to enable Web SSO, federate Web-based resources, customize the access experience, and manage how existing users are authorized to access applications.

Depending on your organization's requirements, you can deploy servers running any one of the following AD FS role services:

Federation Service: The Federation Service comprises one or more federation servers that share a common trust policy. You use federation servers to route authentication requests from user accounts in other organizations or from clients that may be located anywhere on the Internet.

Federation Service Proxy: The Federation Service Proxy is a proxy to the Federation Service in the perimeter network (also known as a demilitarized zone and screened subnet). The Federation Service Proxy uses WS-Federation Passive Requester Profile (WS-F PRP) protocols to collect user credential information from browser clients, and it sends the user credential information to the Federation Service on their behalf.

Claims-aware agent: You use the claims-aware agent on a Web server that hosts a claims-aware application to allow the querying of AD FS security token claims. A claims-aware application is a Microsoft ASP.NET application that uses claims that are present in an AD FS security token to make authorization decisions and personalize applications.

Windows token–based agent: You use the Windows token–based agent on a Web server that hosts a Windows NT token–based application to support conversion from an AD FS security token to an impersonation-level, Windows NT access token. A Windows NT token–based application is an application that uses Windows-based authorization mechanisms.

Installing the AD FS role

After you finish installing the operating system, a list of initial configuration tasks appears. To install AD FS, in the list of tasks, click Add roles, and then click Active Directory Federation Services.

Managing the AD FS role

You can manage server roles with Microsoft Management Console (MMC) snap-ins. After you install AD FS, you can use the Active Directory Federation Services snap-in to manage both the Federation Service and Federation Service Proxy role services. To open this snap-in, click Start, click Administrative Tools, and then click Active Directory Federation Services.